• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1070
  • Last Modified:

Windows server 2003 Zone transfer configuration reccomendations anyone?

Hello all,
we have a 3 subdomain environment as follows:

gcg.net - root dc (does very little) !
cs.gcg.net - central services (the core servers at the datacentre)
gc3.cs.gcg.net - sites (end users across uk/europe/america)

I am a little dubious about the configuration that we have regarding zone transfers for our subnets...

All of gc3 appears to be absolutely fine - 1 x reverse lookup zone per site with zone transfers enabled to each server in the name servers tab.  The name servers tab is populated with gc3 servers only

In the CS domain, I do not have all the reverse lookup zones added that exist in the gc3 domain - I do, however randomly have some that have been added.  Although I have not idea why - or whether they should all be added from the gc3.cs.gcg.net domain

Each site has its own local DNS server holding a copy of the gc3.cs.gcg.net zone, and a copy of all the reverse lookup zones for that domain

Clients on site at any gc3.cs.gcg.net location need to be able to resolve any cs.gcg.net machine - which they are able to via the forwarders configuration within DNS

cs.gcg.net central servers need to be able to resolve all gc3.cs.gcg.net machines

When I look at the reverse lookup zones in the cs.gcg.net domain that HAVE alrready been added, zone transfers are disabled

When I look at the same reverse lookup zones in gc3.cs.gcg.net they are all enabled (by me) and working

I'm at a bit of a loss as to what reverse lookup zones should be added in cs.gcg.net and what zone transfers should be allowed between where

The authorative DNS servers for each domain are as follows:

gck23s009.gc3.cs.gcg.net (root DC for gc3.cs.gcg,net)
gck23s002.cs.gcg.net (DC1 for cs.gcg.net)
gck23s002.cs.gcg.net (Root DC for cs.gcg.net)

All advice greatly appreciated...
1 Solution
Chris DentPowerShell DeveloperCommented:

Hey :)

I would move away from Zone Transfers as a mechanism for distributing this personally.

I would do the following:

cs.gcg.net - Change the replication scope to "All DNS Servers in the AD Forest"
cs.gcg.net - Add a Delegation for gc3.cs.gcg.net, delegation to include all DNS servers hosting the zone
gc3.cs.gcg.net - Ensure Replication is set to "All DNS Servers in the AD Domain"

So far that meets the requirements for host name resolution from parent domain to child domain and vice versa. The costs of replication of the cs.gcg.net zone to the entire forest can be tweaked by increasing the No-Refresh interval to reduce the rate of change if necessary.

Reverse lookups are a bit more complex because you have a higher number of sub-domains (subnets) than with forward lookup. That makes the delegation model complex at best (because it only follows classful IP ranges).

Potential options are:

1. One Reverse Lookup Zone

a. Configure a single Reverse Lookup Zone that covers all subnets within the Forest.
b. Set the zone to replicate to "All DNS Servers in the AD Forest".

If rate of change is high that may place more of a burden on replication traffic than is desirable.

2. One parent with delegated children

a. Configure a parent zone at cs.gcg.net, e.g. 10.in-addr.arpa.
b. Set the zone to replicate to "All DNS Servers in the AD Forest".
c. Configure a delegation for each child subnet (e.g. 10.10.in-addr.arpa)

Both methods allow global resolution of all IP addresses. One carries a higher replication cost, the other a higher administrative cost (maintaining delegations).

If I think of any more I'll be sure to pop them in :)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now